Use Case: NBTSTAT Collection of Hostname and Domain Data

Summary:

This document outlines a method for gathering remote host information via VPN using NBTSTAT specifically for Cisco ASA VPN users. The main objective is to collect NetBIOS over TCP/IP statistics on the hosts accessed through the VPN connection, which is crucial for security and management purposes. **Key Points:** 1. **Use Case Description:** - Employees connect to the corporate network via VPN using a PCF file containing shared keys and profile information. - The use case involves running the NBTSTAT command on remote hosts accessed through VPN connections to gather NetBIOS statistics. 2. **Implementation Details:** - A Perl script, `VPN_Login_NBTSTAT.pl`, is used to execute the NBTSTAT command for gathering host information. - It interacts with ArcSight components such as subagent SDKR file reader properties and rules for error handling and data collection. 3. **Scripts and Properties:** - `VPN_Login_NBTSTAT.pl`: Executes the NBTSTAT command to collect NetBIOS information from VPN-connected hosts. - `arcsight_nbtstat.subagent.sdkrfilereader.properties`: Configuration file for the subagent defining properties related to NBT statistics collection. - `arcsight_nbtstat_error.subagent.sdkrfilereader.properties`: Special configuration file for handling errors during script execution and triggering relevant rules. 4. **ArcSight Rule Development:** - Two main rules are defined in ArcSight: - `/All Rules/Personal/admin/VPN ASA – Collect NetBIOS Host Info when internal IP assigned`: Triggers the Perl script to collect info via NBTSTAT when a user is assigned an internal IP on Cisco ASA. - `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Failed to collect Hostname`: Catches events where NBTSTAT failed to resolve NetBIOS info for an IP, adding details to the active list. 5. **Active Lists:** - `/All Active Lists/Personal/admin/AD – Approved Domains`: List of valid domains allowed on the network. - `/All Active Lists/Personal/admin/VPN ASA – VPN Remote Username to Internal IP Mapping when NetBIOS does not resolve`: Users whose hostname could not be resolved using NBTSTAT are listed here for further analysis and possible action based on the organization’s policies. - `/All Active Lists/Personal/admin/VPN ASA – NetBIOS Info of VPN Remote User collected via NBTSTAT`: Lists users whose hostname, MAC address, and domain were successfully resolved by NBTSTAT. 6. **Purpose:** - The primary purpose is to monitor user access through the VPN and ensure that only authorized hosts are accessing network resources. - This system helps in identifying unauthorized attempts to access host information via VPN connections, which can be indicative of security threats or potential data breaches. 7. **Security Implications:** - By collecting detailed NetBIOS statistics for remote users connected through the VPN, this method provides a robust means to monitor and regulate user access based on pre-approved domain lists. - It aids in maintaining secure network environments by preventing unauthorized access and detecting potential security breaches associated with improper host information gathering. **Conclusion:** This document describes an effective mechanism for monitoring and regulating VPN access through the use of NBTSTAT, Perl scripts, and ArcSight rules to ensure compliance with organizational policies related to data protection and privacy. The system helps in identifying unauthorized activities that may indicate security threats or potential breaches, thereby enhancing overall network security posture.

Details:

This document outlines a use case for gathering remote host information, specifically using NBTSTAT, for VPN users who are utilizing Cisco ASA's VPN software. The purpose of this use case is to collect NetBIOS over TCP/IP (NBT) statistics on the remote hosts accessed through the VPN connection. **1. Use Case Description:** The company allows employees to connect to the corporate network via VPN using their company-owned laptops, which typically include a PCF file containing shared keys and profile information for VPN access. This use case assumes that an employee could potentially transfer this PCF file to another untrusted workstation (either owned by the company or not). The scenario involves Cisco ASA's running VPN software, where the goal is to gather NetBIOS over TCP/IP statistics on the remote hosts accessed through the VPN connection. This information can be crucial for security and management purposes, as it helps in identifying and monitoring which systems are being accessed by employees connected via VPN. **2. Implementation Details:** To implement this use case, a script called `VPN_Login_NBTSTAT.pl` is used, which runs the NBTSTAT command to gather information about remote hosts. The script interacts with various ArcSight components such as subagent SDKR file reader properties and rules for error handling and data collection.

• **Scripts and Properties:**

• `VPN_Login_NBTSTAT.pl`: This Perl script executes the NBTSTAT command to collect NetBIOS information from remote hosts accessed through VPN connections.

• `arcsight_nbtstat.subagent.sdkrfilereader.properties`: Configuration file for the subagent used in ArcSight, which defines properties related to the NBT statistics collection process.

• `arcsight_nbtstat_error.subagent.sdkrfilereader.properties`: This property file is specifically configured to handle and log errors encountered during the execution of the NBTSTAT command.

• **Rules and Lists:**

• `/All Rules/Personal/admin/VPN ASA – Collect NetBIOS Host Info when internal IP assigned`: This rule triggers the collection of NetBIOS information for hosts with internal IP addresses that are part of the VPN connection.

• Other rules and lists under the same section handle errors and warnings related to the NBTSTAT command, such as failure to collect hostnames or incorrect domain approvals.

This use case is crucial for ensuring that network administrators have visibility into which systems employees are accessing through the VPN, thus helping in managing security risks and compliance issues. To summarize, this document outlines a method to detect unauthorized devices connecting to a company's VPN by comparing the Active Directory domain listed in NBTSTAT results with a list of approved domains. The process involves using several tools and scripts tailored for Windows environments. The main components include: 1. **VPN_Login_NBTSTAT.pl**: A Perl script designed to run on Windows machines, which takes a username and IP address as arguments. It pings the given IP address and performs an NBTSTAT -a command to retrieve hostname and domain information. The results are then sent via Syslog to an ArcSight connector for further analysis. 2. **arcsight_nbtstat.subagent.sdkrfilereader.properties**: Configuration file that defines the properties for the script, including customizing log settings specific to the customer environment. 3. **arcsight_nbtstat_error.subagent.sdkrfilereader.properties**: Similar to the above but tailored for error handling and logging in case of issues during execution. To implement this solution, ensure that Perl's Net::Syslog library is available in the script's \lib directory, as it's not included by default with ActivePerl for Windows. Adjust the $vpn_log and $syslog_server variables within the script to match your company's environment settings before deployment. This method helps companies monitor unauthorized devices attempting to connect via VPN, potentially granting access equivalent to a physical desk in corporate headquarters if connected through an unapproved device. This document describes several components used in a system for tracking user access via VPN, specifically using the Perl script and NBTSTAT tool. The key elements include: 1. **Properties Files**:

• `arcsight_nbtstat_error.subagent.sdkrfilereader.properties`: A custom parser designed to be loaded into a Syslog Daemon connector. It captures all errors generated from running the Perl script, primarily including "Could Not Ping" and "Could Not perform NBTSTAT".

2. **ARB File**:

• `VPN_Access_-_Perform NBTSTAT.arb`: Contains multiple rules and active lists for monitoring user access to the VPN. The specific components are:

• `/All Active Lists/Personal/admin/AD – Approve Domains`: A list of valid domains allowed on the network.

• `/All Active Lists/Personal/admin/VPN ASA – VPN Login NBTSTAT Failed to collect Hostname`: Contains users whose hostname could not be resolved using NBTSTAT.

• `/All Active Lists/Personal/admin/VPN ASA – NetBIOS Info of VPN Remote User collected via NBTSTAT`: Lists users whose hostname, MAC address, and domain were successfully resolved by NBTSTAT.

3. **Rules within the ARB File**:

• `/All Rules/Personal/admin/VPN ASA – Collect NetBIOS Host Info when internal IP assigned`: Triggers the Perl script to collect info via NBTSTAT when a user is assigned an internal IP on a Cisco ASA.

• `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Failed to collect Hostname`: Catches events where NBTSTAT failed to resolve NetBIOS info for an IP, adding details to the active list `/All Active Lists/Personal/admin/VPN ASA – VPN Remote Username to Internal IP Mapping when NetBIOS does not resolve`.

• `/All Rules/Personal/admin/VPN ASA – VPN Login NBTSTAT Results`: Captures and processes results from the NBTSTAT Perl script, likely for logging or further analysis.

These components together form a system for monitoring and managing VPN access based on NetBIOS information gathered by the Perl script and NBTSTAT tool. The provided text outlines two distinct rules that are designed to detect potential security threats within an organization's network, particularly related to unauthorized access attempts or potential data breaches. These rules operate in conjunction with specific scripts and lists defined by the organization for maintaining security standards. 1. **NetBIOS Information Collection Rule:**

• This rule triggers when a Perl script successfully retrieves NetBIOS information about a host on the network using the NBTSTAT command.

• The retrieved details are then added to a specified list, known as "/All Active Lists/Personal/admin/VPN ASA – NetBIOS Info of VPN Remote User."

• This rule is essentially designed to monitor and log any unauthorized attempts to gather information about hosts connected through the VPN, potentially indicating an attempt by an unauthorized user or entity.

2. **Domain Approval Check Rule:**

• The second rule comes into play when the NBTSTAT script returns a domain value that does not match any of the approved domains listed in "/All Active Lists/Personal/admin/AD – Approved Domains."

• This rule is critical for ensuring compliance with security policies and procedures, as it flags any network activity indicating an attempt to access hosts using unapproved domains.

• If this rule triggers, it serves as a clear indicator of unauthorized access or potential data breach attempts not conducted through approved channels, prompting immediate attention from the organization’s cybersecurity team.

Both rules serve different but complementary purposes in enhancing the security posture against potential threats: one focusing on detailed host information retrieval and the other checking for domain compliance to established standards. Together, they form a layered defense mechanism that helps in identifying and responding to security incidents more effectively.